Bump minimatch and eslint#2
Closed
dependabot[bot] wants to merge 2 commits intomainfrom
Closed
Conversation
Bumps [minimatch](https://github.com/isaacs/minimatch) to 10.2.2 and updates ancestor dependency [eslint](https://github.com/eslint/eslint). These dependencies need to be updated together. Updates `minimatch` from 3.1.2 to 10.2.2 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v10.2.2) Updates `eslint` from 9.39.1 to 10.0.1 - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](eslint/eslint@v9.39.1...v10.0.1) --- updated-dependencies: - dependency-name: minimatch dependency-version: 10.2.2 dependency-type: indirect - dependency-name: eslint dependency-version: 10.0.1 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
bird-m
added a commit
that referenced
this pull request
Apr 15, 2026
Review-panel #1 (Severe): Remove competing browser tab in requires_auth path. The requires_auth branch opened the backend's redirect URL via opn() then fell through to performAmplitudeAuth which opened a second browser tab with mismatched PKCE. Now we skip the backend URL and let performAmplitudeAuth handle the entire flow. Added TODO to evaluate using the backend URL in a follow-up. Review-panel #2 (Critical): Init feature flags in agent/CI paths so _headlessSignupEnabled can be true. Previously the flag was only set in the TUI interactive path, making the entire agent/CI headless signup block unreachable dead code. Review-panel #3 (Important): Pre-populate HeadlessSignupScreen from CLI --email/--full-name flags. Auto-submit if both are present. Review-panel #4 (Important): Redact email in agent NDJSON log output to match the redaction pattern in headless-signup.ts. Review-panel #7 (Important): Split fullName into first_name/last_name on first space before sending to provisioning endpoint. Review-panel #9 (Nit): Replace non-null assertions on headlessSignupEmail/headlessSignupFullName with an explicit guard. Review-panel #10 (Nit): Extract completeSignupTokenExchange into headless-signup.ts as a shared helper used by both the agent/CI and TUI code paths, reducing duplication and drift risk. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
bird-m
added a commit
that referenced
this pull request
Apr 16, 2026
Table.tsx was introduced with no consumers. Remove it to avoid dead code on merge — can be re-added in the PR that actually needs it. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
bird-m
added a commit
that referenced
this pull request
Apr 16, 2026
Use z.string().trim().toLowerCase().email() for consistent validation and automatic normalization (trim + lowercase) instead of a hand-rolled regex. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
bird-m
added a commit
that referenced
this pull request
Apr 16, 2026
…ilure Thread allowBrowserRecovery: false through completeAuth for the non-interactive signup path and interactive headless signup path. If fetchAmplitudeUser fails after a brand-new token exchange, surface the error and exit AUTH_REQUIRED instead of contradicting the browserless contract by launching a browser. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
7 tasks
kelsonpw
added a commit
that referenced
this pull request
Apr 17, 2026
… picker) Batch of bird-m and Bugbot findings from PR #112: #1 claudeCodeMode default mismatch (medium, flagged 3×): addMCPServerToClientsStep silently defaulted to 'plugin' while mcp-installer.ts defaulted to 'mcp'. Non-TUI fallback via bin.ts could install the plugin with no user prompt. Aligned both to 'mcp' as the safer default — plugin is interactive-only now. #3 remove flow can't uninstall plugin (medium, flagged 2×): getInstalledClients only ever instantiated ClaudeCodeMCPClient. After plugin install removes the bare `amplitude` MCP entry, isServerInstalled returned false and `wizard mcp remove` silently skipped Claude Code. Added an explicit ClaudeCodePluginClient probe before falling through to the MCP check. #4 non-TUI `local` flag ignored for plugin path (low, Bugbot): addMCPServerToClientsStep now forces 'mcp' mode whenever local=true, matching the TUI's behavior. The plugin hardcodes the prod URL and can't serve localhost. #5 `as unknown as RawMCPClient[]` cast (nit, bird-m): resolveClientsForMode returns MCPClient[] directly; the local RawMCPClient interface was a holdover. Dropped the cast and removed the unused interface — install loop now type-checks against MCPClient directly. #6 older Claude CLIs fail opaquely (nit, bird-m): ClaudeCodePluginClient.isClientSupported now probes `claude plugin --help` in addition to `--version`. resolveClientsForMode is async and checks plugin support before swapping — older CLIs quietly keep ClaudeCodeMCPClient instead of failing during `marketplace add`. #7 single-Claude-Code hid plugin/MCP choice (medium, Bugbot): detected.length === 1 routed to Phase.Ask, which doesn't show the split picker. Now: if the lone detected tool is Claude Code and no escape hatch is set, route to Phase.Pick so the user sees plugin vs MCP rows. #8 resolveSelection misleading default (low, Bugbot): wantsPlugin || !wantsMcp ? 'plugin' : 'mcp' returned 'plugin' when the user unchecked both Claude Code rows. Simplified to wantsPlugin ? 'plugin' : 'mcp' — explicit semantics, still correct since downstream guards the Claude-Code-absent case. #9 Codex Windows detection (low, Bugbot): `command -v` is POSIX-only; Windows never matched. Use `where codex` on win32, `command -v codex` on POSIX. Take the first line since `where` may return multiple paths. Narrowed the bundled-app exclusion to macOS only (Conductor-specific). #10 multi-picker uncheck-all dead code (medium, Bugbot): MultiPickerMenu's Enter handler fell back to the focused row when selected was empty, so a user who unchecked every pre-selected row got one install instead of a skip. Now: if defaultSelected was provided, an empty set means deliberate — pass [] through to the caller. Also fixed lexicographic index sort → numeric. #? dev script env var at build-time (low, Bugbot): `AMPLITUDE_WIZARD_DEV=1 pnpm build` only scoped the var to the build subprocess, not the globally-linked binary. Removed from the `dev` script since it was ineffective there — `try` still sets it at runtime where it actually works. Addressed in comment, no code change: #2 non-atomic settings.json write — already replaced with `claude plugin marketplace add` CLI in commit 4679fc4. No direct file write remains. 974 tests pass, lint clean, smoke test passes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
30 tasks
6 tasks
kelsonpw
added a commit
that referenced
this pull request
Apr 26, 2026
Bugbot caught: the try/finally wrapping runAgentWizardBody won't execute cleanupWizardArtifacts on the error paths (AUTH_ERROR / MCP_MISSING / RESOURCE_MISSING / GATEWAY_DOWN / RATE_LIMIT / API_ERROR) because those paths call wizardAbort, which calls process.exit(). process.exit terminates the process immediately and skips pending async finally blocks — so the exact paths this PR's change #2 was trying to cover would have silently still leaked artifacts. Fix: register cleanupWizardArtifacts via registerCleanup() so wizardAbort runs it synchronously before exiting, AND keep the try/finally so success / uncaught-exception paths still cover themselves. cleanupWizardArtifacts is idempotent (each component existsSync-checks before unlinking; cleanupIntegrationSkills uses fs.rmSync with force: true) so double-firing is safe. Co-Authored-By: Cursor Bugbot <bugbot@cursor.com>
kelsonpw
added a commit
that referenced
this pull request
Apr 26, 2026
…261) * feat(wizard): gitignore + always-clean wizard artifacts after a run Today, after a wizard run, the user's project ends up with this in git status: new file: .amplitude-events.json new file: .claude/skills/integration-javascript_web/... new file: .claude/skills/add-analytics-instrumentation/... new file: .claude/skills/amplitude-chart-dashboard-plan/... new file: .claude/skills/amplitude-quickstart-taxonomy-agent/... modified: .gitignore (only adds .env.local) A `git add .` after the wizard sweeps all of that into the user's commits. Three real bugs: 1. .gitignore doesn't cover wizard artifacts. Highest leverage — regardless of whether files stay on disk for re-invocation, they should never be tracked. 2. cleanupIntegrationSkills only ran on the success path. If the agent errored, was killed, or hit a wizard error after skills were installed but before outro, integration skills leaked. 3. .amplitude-events.json sticks around. The commandments tell the inner Claude agent to delete it during the conclude phase, but model variance means it's not always honored. Fixes: ensureWizardArtifactsIgnored(installDir) Idempotent — appends a marked block of patterns to .gitignore. If the marker already exists from an older wizard version, replaces the block in place. Creates .gitignore if missing. cleanupAmplitudeEventsFile(installDir) Removes .amplitude-events.json. Backstops the agent's conclude-phase deletion. cleanupWizardArtifacts(installDir) Composes the two cleanups. Safe to call from any exit path. Wiring: - runAgentWizard now calls ensureWizardArtifactsIgnored on entry (before any skill installs) - The cleanup is moved into a try/finally so it runs on success, error, AND cancel paths - Removed the duplicate success-path call Instrumentation and taxonomy skills are STILL kept on disk for later invocation — that design is unchanged. They're just gitignored so "kept on disk" doesn't mean "committed to git" anymore. Tests: +31 in wizard-tools.test.ts (47 total). Suite green (1248 pass). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix: stop ensureWizardArtifactsIgnored from eating user content below the wizard block Bug: the regex `# Amplitude wizard(?:\n[^\n]*)*` was greedy and used `[^\n]*` (zero or more), so it matched blank lines (empty content between two newlines) and kept consuming. On a wizard upgrade that added a new pattern, replacing the marked block would silently delete EVERYTHING below it in the user's .gitignore — `dist/`, `.env`, etc. Fix: change the inner repetition to `[^\n]+` (one or more) so the regex stops at the first blank line. Pinned with a regression test that asserts user content below the block survives an in-place replacement. Without this, shipping #261 would have silently destroyed user gitignore content on the next wizard run after a pattern change. * fix: cleanup runs on wizardAbort error paths via registerCleanup Bugbot caught: the try/finally wrapping runAgentWizardBody won't execute cleanupWizardArtifacts on the error paths (AUTH_ERROR / MCP_MISSING / RESOURCE_MISSING / GATEWAY_DOWN / RATE_LIMIT / API_ERROR) because those paths call wizardAbort, which calls process.exit(). process.exit terminates the process immediately and skips pending async finally blocks — so the exact paths this PR's change #2 was trying to cover would have silently still leaked artifacts. Fix: register cleanupWizardArtifacts via registerCleanup() so wizardAbort runs it synchronously before exiting, AND keep the try/finally so success / uncaught-exception paths still cover themselves. cleanupWizardArtifacts is idempotent (each component existsSync-checks before unlinking; cleanupIntegrationSkills uses fs.rmSync with force: true) so double-firing is safe. Co-Authored-By: Cursor Bugbot <bugbot@cursor.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Cursor Bugbot <bugbot@cursor.com>
6 tasks
kelsonpw
added a commit
that referenced
this pull request
Apr 26, 2026
Closes #297. Real user log (run_id 66d9fa51, Sentry #7442894144) showed the wizard crashing ~40s into the new attempt with: CLI stderr: Error in hook callback hook_0: Error: Stream closed at m98.sendRequest … Tool permission request failed: Error: Stream closed Root cause: the outer retry loop in `runAgent` calls `signalDone()` and then `continue`s to the next attempt without telling the SDK its prior Query iterator is done. The SDK's underlying subprocess remains alive just long enough for an in-flight tool-use message to fire our PreToolUse hook callback through a stdio bridge that is mid-teardown. The bridge fails on `m98.sendRequest`, the SDK converts the failure into a tool_result with `is_error: true`, and the run dies because the agent can't recover from a tool-permission failure. Fix: hoist the SDK `Query` (an `AsyncIterable<unknown>` here, but its concrete `Query` type extends `AsyncGenerator`) so the catch and post-stream retry paths can call `.return()` on it before the next attempt. `.return()` propagates an EOF down the AsyncGenerator protocol; the SDK closes its stdio cleanly. Errors from `.return()` itself are expected during teardown and are swallowed via a tiny `drainPriorResponse` helper. Defense in depth: also add `'Stream closed'` to the transient error pattern list. If a Stream closed somehow does still bubble out (e.g. late SDK cleanup), the catch path treats it as transient and retries cleanly instead of throwing API_ERROR. Tests: - New: drains the prior response iterator before retrying after a transient API error — spies on .return() and asserts it fires during attempt #1, before query() is invoked for attempt #2. - New: classifies Stream closed errors as transient and retries — locks down the defense-in-depth pattern. - Existing 119 runAgent tests still green (stall retry, GATEWAY_DOWN classification, race-condition handling, legacy text markers, etc.). Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced Apr 28, 2026
kelsonpw
added a commit
that referenced
this pull request
Apr 28, 2026
…331) * fix: gracefully handle late-stage API errors so users see the Outro Two related fixes for a UX gap surfaced when an agent run hits an API error AFTER all the meaningful work (events instrumented, dashboard created, setup report written) has completed. Symptom: the wizard would call wizardAbort -> getUI().cancel() -> process.exit(NETWORK_ERROR) before Ink had time to render the next frame, so the user saw a half-rendered "API error occurred" status banner and a sudden process death — no MCP install offer, no Slack prompt, no Outro screen with bug-report hotkeys, and a misleading network error code in CI even though the project was fully set up. ## Fix #1 — wizardAbort awaits OutroScreen dismissal in TUI mode - WizardUI.cancel() returns Promise<void> instead of void. - InkUI: returns a promise that resolves when the OutroScreen is dismissed (keypress / picker action) OR after a 5-minute safety timeout. The TUI now actually gets to render the failure state. - AgentUI / LoggingUI: resolve immediately. No TUI to render, no human to interact. - WizardStore exposes outroDismissed() / signalOutroDismissed() — a one-shot promise that bridges the OutroScreen render loop to wizardAbort. Idempotent and pre-resolves correctly when dismissal arrives before any awaiter (race-safe). - OutroScreen non-success keypress handler now calls store.signalOutroDismissed() instead of process.exit(0). Lets wizardAbort drive the actual exit with the right exit code, run analytics shutdown, and flush Sentry — none of which were happening before because process.exit(0) jumped the queue. - wizardAbort awaits getUI().cancel() before process.exit. UI errors in the await are caught + ignored so a busted UI can't trap the user in a hung process. ## Fix #2 — soft-error path: agent finished, just continue - New `agentArtifactsLookComplete(session)` predicate checks for the dashboard URL on the session. The dashboard MCP create is the last thing the agent does in its conclude phase, after events are instrumented and the setup report is written; if it succeeded, the user's project is in a working state. - API_ERROR / RATE_LIMIT branch in runAgentWizardBody now splits: - artifacts complete -> log a soft-error analytics event, surface a non-fatal status banner, fall through to the post-agent steps (env upload, MCP, Slack, DataIngestion, Outro). User gets the full success experience minus a "late API call failed but your setup is complete" warning. - artifacts missing -> existing hard-abort path, now extracted into `abortOnApiError()` for clarity. ## Tests - src/ui/tui/__tests__/store.test.ts: outroDismissed resolves on signalOutroDismissed, returns the same promise for concurrent awaiters, pre-resolves on early dismissal, and is idempotent. - src/lib/__tests__/agent-runner.test.ts: agentArtifactsLookComplete returns true with a real dashboard URL, false with null, false with empty string. Verified: pnpm lint clean (1 pre-existing warning in untouched code), pnpm test 1660 passing (+7 new tests). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix: address bugbot findings on wizardAbort sequencing Two related bugbot findings on PR 331: 1. **Medium: outro-hotkey analytics events were silently dropped.** `analytics.shutdown()` ran before `getUI().cancel(...)`, but cancel now blocks until the user dismisses the OutroScreen. Any `wizardCapture` calls fired during that interaction — `'error outro log opened'` (press L), `'error outro bug report written'` (press C) — got queued *after* the final flush and dropped on `process.exit`. Fix: flip the order to cancel-then-shutdown so those events are flushed in the post-outro batch. 2. **High: process hangs on the version-check cancel path.** `agent-runner.ts` `runAgentWizard` called `getUI().cancel(...)` then `return false` for unsupported framework versions. With cancel now async + awaiting outro dismissal, the user dismisses the outro but nothing exits — Ink keeps the event loop alive indefinitely. The old `process.exit(0)` in OutroScreen used to be the de-facto exit for this path; replacing it with `signalOutroDismissed()` exposed the hang. Fix: route this path through `wizardAbort` (which always exits), and extend `wizardAbort` to forward `cancelOptions.docsUrl` so the manual setup link still surfaces in the Outro. Tests: - New: cancel-before-shutdown ordering, cancelOptions.docsUrl forwarding. - Updated: existing ordering tests flipped to match new sequence; cancel-call-arity expectations include the new options arg. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
7 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps minimatch to 10.2.2 and updates ancestor dependency eslint. These dependencies need to be updated together.
Updates
minimatchfrom 3.1.2 to 10.2.2Changelog
Sourced from minimatch's changelog.
... (truncated)
Commits
f42b23910.2.2fa2133bupdate depsb9d0153ci: update action workflows35d9ee9expand engines to include node 186d7ac3410.2.12e111f3coalesce consecutive non-globstar * characters1a62a2a10.2.0758b5a3changelog 10.2903e50badd braceExpandMax option, formata50a11010.1.3Install script changes
This version adds
preparescript that runs during installation. Review the package contents before updating.Updates
eslintfrom 9.39.1 to 10.0.1Release notes
Sourced from eslint's releases.
... (truncated)
Commits
0bd549710.0.1ddb80efBuild: changelog update for 10.0.1c87d5bdfix: update eslint (#20531)e5c281fchore: updates for v9.39.3 released841001fix: updateminimatchto10.2.1to address security vulnerabilities (#20519)8c3832achore: update@typescript-eslint/parserto ^8.56.0 (#20514)5b3dbcedocs: add AI acknowledgement section to templates (#20431)04c2147fix: update error message for unused suppressions (#20496)8330d23test: add tests for config-api (#20493)37d6e91chore: remove eslint v10 prereleases from eslint-config-eslint deps (#20494)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.